I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
Because your code is reversed as:
loc_8F:
mov eax, [esi]
add eax, ebp
cmp dword ptr [eax], 50746547h
jnz short loc_C0
cmp dword ptr [eax+4], 41636F72h
jnz short loc_C0
cmp dword ptr [eax+8], 65726464h
jnz short loc_C0
mov eax, [edi+24h]
add eax, ebp
movzx ebx, word ptr [eax+edx*2]
mov eax, [edi+1Ch]
add eax, ebp
mov ebx, [eax+ebx*4]
add ebx, ebp
; should jump to found
loc_C0:
add esi, 4
inc edx
cmp edx, [edi+18h]
jnz short loc_8F
; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the
way
